topic Re: How to fix this vulnerability in palo alto? in General Topicshttps://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/280006#M75810
<P><LI-USER uid="105432"></LI-USER>,</P><P>Any additional information here would be great, such as what interface you were scanning (MGMT, GlobalProtect Portal)?&nbsp;</P>Tue, 30 Jul 2019 16:30:27 GMTBPry2019-07-30T16:30:27ZHow to fix this vulnerability in palo alto?https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/279954#M75796
<P>Hi,</P><P>&nbsp;</P><P>Please help to resolve the following vulnerability</P><P><BR />Vulnerabilities :<BR />1. HTTP DELETE Method Enabled (http-delete-method-enabled)<BR />2. HTTP OPTIONS Method Enabled (http-options-method-enabled)<BR />3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)<BR /><BR /></P><P>Thanks in advance</P>Tue, 30 Jul 2019 09:05:10 GMThttps://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/279954#M75796karthikeyanB2019-07-30T09:05:10ZRe: How to fix this vulnerability in palo alto?https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/280006#M75810
<P><LI-USER uid="105432"></LI-USER>,</P><P>Any additional information here would be great, such as what interface you were scanning (MGMT, GlobalProtect Portal)?&nbsp;</P>Tue, 30 Jul 2019 16:30:27 GMThttps://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/280006#M75810BPry2019-07-30T16:30:27ZRe: How to fix this vulnerability in palo alto?https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/280243#M75827
<P>Management</P>Wed, 31 Jul 2019 08:48:40 GMThttps://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/280243#M75827karthikeyanB2019-07-31T08:48:40ZRe: How to fix this vulnerability in palo alto?https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/281227#M75935
<P>Hi Team,</P><P>&nbsp;</P><P>Could you help us here to fix the vulnerability.</P><P>&nbsp;</P><P>Note:Getting this vulnerability when scaning Management port.</P><P>&nbsp;</P><P>PAN-OS version 8.1.9</P><P>&nbsp;</P><P>Regards,</P><P>Sethupathi M</P>Tue, 06 Aug 2019 05:03:34 GMThttps://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/281227#M75935Sethupathi2019-08-06T05:03:34ZRe: How to fix this vulnerability in palo alto?https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/281240#M75937
<P>Hi Team,</P><P>&nbsp;</P><P>Could you help us here to fix the vulnerability.</P><P>&nbsp;</P><P>Note:Getting this vulnerability when scaning Management port.</P><P>&nbsp;</P><P>PAN-OS version 8.1.9</P><P>&nbsp;</P><P>Regards,</P><P>Sethupathi M</P>Tue, 06 Aug 2019 08:04:53 GMThttps://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/281240#M75937Sethupathi2019-08-06T08:04:53ZRe: How to fix this vulnerability in palo alto?https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/293274#M77550
<P>Hi</P><P>We are also getting the same vulnerabilities from Security Scans on the Managment Port.</P><P>&nbsp;</P><P>We are running PAN OS 8.1.9</P><P>&nbsp;</P><P>Any assistance would be greatly appreciated.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Stuart</P>Fri, 18 Oct 2019 12:42:26 GMThttps://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/293274#M77550Stuart_Walton2019-10-18T12:42:26ZRe: How to fix this vulnerability in palo alto?https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/293324#M77561
<P>Hi Stuart,</P><P><BR />For HTTP OPTIONS and DELETE method allow (note there is no associated CVE and both are standard HTTP methods).</P><P>After review, both HTTP methods do not have actual impact on firewall management Web GUI therefore the said vulnerability was not applicable in this scenario.</P><P>Palo Alto firewall allows HTTP OPTIONS and DELETE methods because a new RESTful API capability is using it, not the web server itself. Therefore these two listed vulnerabilities are not applicable in Palo Alto Network firewall.</P><P>- HTTP DELETE Method<BR />- HTTP OPTIONS Method</P><P><BR />For the last vulnerability, "3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)" related to static key ciphers, this can be mitigated by using a ECDSA based certificate which will limit to the following forward secrecy ciphers in 8.1</P><P>ECDHE-ECDSA-AES-128-SHA<BR />ECDHE-ECDSA-AES-256-SHA<BR />ECDHE-ECDSA-AES-128-GCM-SHA-256<BR />ECDHE-ECDSA-AES-256-GCM-SHA-384</P><P>Reference:<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5mCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5mCAC</A></P><P>Steps for securing the administrative access:</P><P>1) Generate/import an ECDSA server certificate on the firewall. This can be generated by using a self-signed CA ECDSA or your internal PKI ECDSA certificate. Please note the certificate that is reference by the SSL/TLS service profile cannot be a CA certificate.<BR />2) Create an SSL/TLS service profile with Min and Max versions set to TLSv1.2<BR />3) Reference the ECDSA certificate in the service profile<BR />4) Apply the profile(s) to the various L3 SSL/TLS services</P><P><BR />Hoped this clarifies.</P><P>&nbsp;</P><P>-<BR />Regards,<BR />Sethupathi M</P>Sat, 19 Oct 2019 07:04:15 GMThttps://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/293324#M77561Sethupathi2019-10-19T07:04:15ZRe: How to fix this vulnerability in palo alto?https://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/311198#M80549
<P>Hello</P><P>We want to find out with your help if there are recommended official docs about those vulnerabilities identified in a generic Vuln Scan on Management Web Interface:</P><P>1. HTTP DELETE Method Enabled (http-delete-method-enabled)<BR />2. HTTP OPTIONS Method Enabled (http-options-method-enabled)<BR />3. TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)</P><P>Do you know if there are an official PaloAlto documental support?&nbsp;<BR />Thanks for your help</P>Fri, 14 Feb 2020 06:54:39 GMThttps://live.paloaltonetworks.com/t5/general-topics/how-to-fix-this-vulnerability-in-palo-alto/m-p/311198#M80549egarantiva2020-02-14T06:54:39Z